Via a bug in Firefox's Error object: http://33bits.org/2010/06/01/yet-another-identity-stealing-b...
Via a bug in Google spreadsheets: http://33bits.org/2010/02/22/google-docs-leaks-identity/ (I found this one :-)
Via history stealing: http://33bits.org/2010/02/18/cookies-supercookies-and-uberco...
More sophisticated, but hypothetical version of previous: http://33bits.org/2010/02/19/ubercookies-history-stealing-so...
XSS bugs and other problems with Instant personalization partner sites: http://33bits.org/2010/09/28/instant-personalization-privacy...
I've also been predicting that this will eventually become the new normal -- both because the bugs are coming too fast to fix (and exploits in the wild will become more common) and because Facebook is pushing to change people's expectations with Instant Personalization.
The other day I attended a talk about one-click frauds. I realized that that's the perfect black-hat use-case for this class of attacks (although current 1-click fraudsters are apparently rather low tech). Stay tuned.
(You don't hear about most of these bugs, because the people who find them don't usually publish before the patch hits, but ask anyone who's reported a bunch of browser bugs how long they waited for fixes.)
As for whether it will become the new normal, that remains to be seen, but I think there are a couple of differences compared to regular privilege-escalation exploits: (1) everyone agrees that taking over your computer is malicious, whereas the perception of identity leaks is malleable (2) identity leaks are harder to deal with: even after the relevant bug is fixed, the attacker still has the mapping of your identity to your IP/browser fingerprint.
But thanks for the comparison and I will keep an open mind about this :-)
I must say though personally if it is only harvesting my email address I don't really have a major issue with it, I use my email address everywhere and signup for lots of services, Gmail is very good at spam filtering and with unsubscribe.com and prioritized inbox I don't have a problem maintaining a zero inbox. Doesn't mean it is not a bug that they shouldn't fix, I'm just saying that perhaps the impact is not as large as the votes that got this to the frontpage of Hacker news implies.
*They were notified a while back.
How they can fix it?
i. Check ip of sender and receiver
ii. Use htmlfill or append a new script instead.
I just hope that, once fixed, the exploit is released for inspection.
Might be a huge problem that takes them weeks to solve.
Sure, it could turn out I'm wrong, but I think the odds are in my favour.
This is a handy, albeit unintentional, benefit of using an Desktop app-ified web site.
It's much worse. The blog author is able to send emails through an API that appear to be from "firstname.lastname@example.org" with the proper headers. So instead of getting a funny little email, you get a phising email that even gmail isn't smart enough to block.
But, I mean, sure, let's act scared that some website can get my gmail. You want it? I'd be happy to give it to anyone, spam or otherwise.
Update 4: Google says the issue is now resolved: “We quickly fixed the issue in the Google Apps Script API that could have allowed for emails to be sent to Gmail users without their permission if they visited a specially designed website while signed into their account. We immediately removed the site that demonstrated this issue, and disabled the functionality soon after. We encourage responsible disclosure of potential application security issues to email@example.com.”